6

I'm looking for some guidance on the best way to authenticate to my WebService. Right now, I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService.

The MVC website uses OpenID to authenticate users, and during the development phase, we have simply been passing the user's OpenID Claimed Identifier to the WebService to authenticate. Obviously this is not what we will be releasing to the customer when we go live.

So my question is this: What's the best way to authenticate to the WebService?

Some of the API's I've played around with use Authentication Tokens. Another idea we had was to, upon connection to the WebService, pass the client an encryption key which they could use for all transfers.

I'm thinking out loud here, and again, any help is greatly appreciated! Thanks!

...

UPDATE: Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. The problem is two-fold:

  1. If a hacker know's a user's OpenIdURL, they can easily gain access to the WebService.
  2. The OpenIdURL is currently passed in plain-text.

So I could pass an encryption key to the client upon connection to the WebService, and have the client encrypt the OpenIdURL in the SoapAuthentication header. But I'm not sure about how to best go about that...

Matt McCormick
  • 678
  • 1
  • 9
  • 22
  • When you say "standard web service" do you mean a legacy ASMX service, or are you using WCF? – John Saunders Jul 08 '09 at 13:59
  • This is close to what I'm looking forward to, but it would be great if someone could just explain this a little further. http://stackoverflow.com/questions/544388/openid-authentication-and-api-access – Matt McCormick Jul 08 '09 at 13:59
  • I am using a standard ASMX WebService, and the MVC is accessing the WebService as a Service Reference (which I think is a WCF wrapper?). – Matt McCormick Jul 08 '09 at 14:00

3 Answers3

3

You might want to take a look at OAuth:

http://oauth.net/

(Use http://oauth.net/code/ for coding.)

As it is geared specifically for this scenario (Open ID isn't, really).

There is another question on SA which asks about the best way to secure a web service, and Open ID and OAuth are both discussed:

Web Service Authentication using OpenID

Community
  • 1
  • 1
casperOne
  • 73,706
  • 19
  • 184
  • 253
  • When you say "this scenario", which one are you referring to? ASMX services? – John Saunders Jul 08 '09 at 14:05
  • Thanks, this has pointed me in the right direction. I want to see what the rest of the community has to share, before I mark this as answered. While I don't think I need all the functionality that OAuth has to offer, the Protocol Workflow page offers some great information about Request Tokens and Access Tokens. – Matt McCormick Jul 08 '09 at 14:08
  • @John Saunders: I'm referring Open ID vs OAuth, not really ASMX vs WS-* web services. Open ID isn't really meant for use with API's, whereas OAuth is. – casperOne Jul 08 '09 at 14:08
0

ASMX web services (which Microsoft now considers to be "legacy") have no ability to use OpenID for authentication. They can only use what IIS provides to them. You could possibly add a SoapExtension that would do OpenID authentication for them, but I wouldn't spend time there.

I don't know enough about OpenID to be certain, but I suspect it can integrate with WCF through federated security. I'm sure someone else will answer with details on that.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
  • My apologies. Right now I have created a custom SoapAuthenticationHeader which has an OpenIdURL property. This is used on all service calls to authenticate the user. – Matt McCormick Jul 08 '09 at 14:04
  • Could you update your question with that information? In particular, if you've got this header, what more are you looking for? – John Saunders Jul 08 '09 at 14:06
  • What, "legacy"? Oh, Microsft... ASMX WebServices are great! :) – Matt McCormick Jul 08 '09 at 14:14
  • They're great if your needs are simple. In any case, they've been replaced by WCF, and now considered legacy. See http://johnwsaundersiii.spaces.live.com/blog/cns!600A2BE4A82EA0A6!860.entry. – John Saunders Jul 08 '09 at 14:29
0

This isn't really an answer, but I can't leave comments...

You say "I have a standard WebService on .NET 3.5, and a MVC website that sits on top of this WebService".

I might be way off base here, but the language implies that these two sit on the same server. If so, why can't you just share the users database and the cookie token?

James

James S
  • 3,355
  • 23
  • 25